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INTRODUCTION 


DIGITALEUROPE welcomes the European Data Protection Board’s (EDPB) draft guidelines on the GDPR’s 
territorial scope. We believe that the guidelines will be very relevant for controllers and processors operating 
both within and outside the EU. 


In the following sections, we highlight areas where the draft guidelines could further consider the 
complexities of controller-processor relationships that don’t fall squarely within the remit of the GDPR. This 
will increase clarity and legal certainty along with the draft guidelines’ consideration of existing case law from 
the Court of Justice of the European Union. 


THE ESTABLISHMENT CRITERION 


DIGITALEUROPE welcomes the draft guidelines’ clear reliance on existing case law, which reinforces legal 
certainty. It should be noted that for processors such case law is not necessarily fully transferable, since the 
1995 Directive did not consider the processor as relevant for territorial applicability. This is important to take 
into consideration, given that the scope of the ‘context of the activities of an establishment of a processor’ 
is by definition much narrower than a controller’s, since the processor’s relevant context of activities in which 
processing may happen will be determined by the agreement pursuant to Art. 28(3) and the controller’s 
instructions. We would welcome it if the guidelines pointed this out and could add an example to make this 
clear. 


We also welcome the recognition that the criterion relating to ‘the context of the activities’ is not without 
limits and ‘should not be interpreted too broadly to conclude that the existence of any presence in the EU 
with even the remotest links to the data processing activities of a non-EU entity will be sufficient to bring this 
processing within the scope of EU data protection law.’! 


Example 2 could be adjusted to reflect such limits and clarify that only the ‘relevant’ processing of personal 
data by the Chinese company would be considered as carried out in the context of the activities of the 
European office. Without such clarification, the example may be read to mean that all processing activities 
by the Chinese entity are in scope (including, for example, the processing of Chinese employees located in 
China). 


1P, 6 of the draft guidelines 
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Processors not subject to the GDPR 


DIGITALEUROPE welcomes the clarification that the applicability of the GDPR will be assessed separately for 
controllers and processors. The EDPB notes that the ‘existence of a relationship between a controller and a 
processor does not necessarily trigger the application of the GDPR to both, should one of these two entities 
not be established in the Union.’ The EDPB also clarifies that ‘when it comes to the identification of the 
different obligations triggered by the applicability of the GDPR, the processing by each entity must be 
considered separately.’ 


In this regard, we believe the wording of the draft guidelines could be clearer when describing processing by 
a controller in the EU using a processor not subject to the GDPR. When suggesting that the controller, who 
is subject to the GDPR, has to ensure that the processor, who is not directly subject to the GDPR, complies 
with a processor’s obligations under the GDPR, the final guidelines could make it clearer that the conclusion 
of an agreement in compliance with Art. 28(3) is sufficient in this regard. 


Controllers not subject to the GDPR 


Regarding the obligations of the processor, certain clarifications would be helpful. The draft guidelines make 
it clear that a ‘non-EU’ controller will not become subject to the GDPR simply because it chooses to use a 
processor in the Union. This is helpful and important. Controllers not subject to the GDPR, but to their own 
law, will be reluctant to take on additional and burdensome legal obligations, potentially with substantial 
fines, just because the selected processor is in the EU. Any such interpretation would make EU processors 
unattractive. 


Therefore, we welcome that the guidelines acknowledge limits to processor obligations when it comes to 
non-EU controllers. Notably, the draft guidelines state that the processor wouldn’t need to assist the non- 
EU controller not falling under the territorial scope of the GDPR in complying with the controller’s own GDPR 
obligations, as clearly such obligations do not exist. 


We believe that further clarification in this regard is needed to take into consideration the presence of non- 
EU controllers that are not subject to the GDPR. EEA processors should only be obliged to meet requirements 
to the extent they are in their sphere and control (e.g. regarding technical and organisational measures) and 
where they do not require the non-EEA controller's cooperation (e.g. signing a data processing agreement). 


In this regard, we note that data breach notifications may also be challenging, as the processor’s ability to 
comply will be impacted by the inapplicability of the rules to the non-EEA controller. The obligation to 
disclose the records of processing may also create friction with non-EU controllers not subject to the GDPR, 
as it could involve the disclosure of their identity. 


It should also be considered that the current model clause templates (controller-to-controller and controller- 
to-processor) are unhelpful in processor-to-controller transfer situations. In our view, transfer instruments, 
such as model clauses, should not be needed at all when sending non-EEA data back to the non-EEA 
controller — such transfer merely restores the former state (the non-EEA data is with the non-EEA controller). 


2 Ibid., p. 9 
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It may not be practical to list all possible concerns and challenges, but the final guidelines could include an 
abstract statement recognising the limitations on processors’ ability to comply with obligations in case of 
processing for a non-EU controller, listing a few examples of where this will be the case. 


Establishments acting with independence 


Many non-EU parent companies operate in Europe through multiple branches or subsidiaries with a 
considerable degree of independence. This raises the question as to whether processing is carried out ‘in the 
context of the activities’ of such ‘establishments in the Union’ for the purposes of Art. 3(1). 


The guidelines recommend that a case-by-case in concreto assessment be made to determine whether Art. 
3(1) applies. Whilst a case-by-case analysis provides flexibility to accommodate specific circumstances, the 
final guidelines could incorporate simpler examples involving branches or subsidiaries that lack 
independence or non-EU entities with clearly no EU presence. 


THE TARGETING CRITERION 


DIGITALEUROPE welcomes the clear guidance around the application of Art. 3(2)(a). The guidelines 
emphasise that the element of ‘targeting’ individuals in the EU — either by offering goods or services to them 
or by monitoring their behaviour — must always be present. They also clarify that the demonstrable 
‘intention’ of the controller or processor to offer goods or services to a data subject located in the Union is 
indeed necessary. Example 14 is enlightening in this regard. 


While we appreciate the EDPB’s reference to Member State law in the third paragraph of this section on p. 
12, we believe that the simple list of Articles provided may lead to the impression that the GDPR’s territorial 
scope can be modified by Member States under such Articles. Providing a blanket assumption that the scope 
of these obligations can be different than that of the GDPR would undermine harmonisation, which is one of 
the main objectives of the Regulation. 


We welcome the clarification under Consideration 1 that the moment when the location of the data subject 
matters is when the ‘trigger activity takes place.’ Such clarification could be also included under the next 
sections on the other aspects of Art. 3(2). This would help address some of the unpredictability in data 
subjects’ movements into and out of the Union. The guidance could in this respect also explicitly 
acknowledge such unpredictability from the perspective of the controller (and the processor). 


We also welcome Example 9 and the clarification that the mere accessibility of a service is not enough to 
trigger the GDPR’s legal obligations. 


OFFERING OF GOODS OR SERVICES 


DIGITALEUROPE welcomes the draft guidelines’ intention to ensure that there needs to be a connection 
between the processing activity and the offering of goods or services. This should be either a manifested 
intention or monitoring with the purpose of collecting and processing data related to data subjects in the 
Union. 


We believe more consistency could be achieved across the final guidelines to ensure that all the criteria for 
falling in the scope are kept in mind. For example, Example 12, paragraph 3 is written in a way that may 
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suggest that all processing carried out by the Turkish website is subject to the GDPR, while the draft 
guidelines themselves are clear that only the activity directed at the data subject in Europe should be. 


>) 


We would also welcome an example around the following scenario. A non-EU subsidiary of a non-EU parent 
company established in another non-EU country from that subsidiary and which has multiple subsidiaries in 
Europe processes the personal data of EU citizens, who may currently reside in the EU or the third country 
in question, in the context of its own local activities. We believe the GDPR would not apply to the processing 
in question because either the data subjects are not in the EU (EU citizens but not in the Union) or, in the 
case of EU residents, the processing activities of the non-EU subsidiary are not targeting data subjects in the 
Union. 


MONITORING OF DATA SUBJECTS’ BEHAVIOUR 


We would welcome more guidance on the nature of the processing activity which can be considered as 
‘behavioural monitoring.’ In particular, we believe the following statement needs further clarification: ‘It will 
be necessary to consider the controller’s purpose for processing the data and, in particular, any subsequent 
behavioural analysis or profiling techniques involving that data.” 


The draft guidelines only include examples where individuals are specifically ‘targeted’ with the type of 
monitoring examined. However, global companies may analyse customer behaviour from a global customer 
base at aggregate level — not necessarily anonymised and including therefore EU data subjects — to take 
business or strategy decisions. We would welcome a clear statement as to whether this type of activity 
should be excluded from the GDPR’s scope. 


Processors 


As mentioned above in relation to Art. 3(1), the draft guidelines contain very little specific guidance about 
how to appropriately apply Art. 3(2) to data processors. This could very well be due to the fact that the 
criteria in Art. 3(2) are hardly applicable to processors. Processors generally do not offer goods or services 
to data subjects in accordance with Art. 3(2)(a), do not have a relevant intention in the sense of Recital 23, 
nor do they themselves conduct monitoring of data subjects’ behaviour in the sense of Art. 3(2)(b) and Recital 
24. However, it would be helpful if the EDPB could make this clearer. 


For more information please contact: 
Alberto Di Felice, DIGITALEUROPE’s Senior Policy Manager for Infrastructure, Privacy and Security 
alberto.difelice@ digitaleurope.org or +32 2 609 53 10 


3 Ibid., p. 18 
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ABOUT DIGITALEUROPE 


DIGITALEUROPE represents the digital technology industry in Europe. Our members include some of the world’s largest 
IT, telecoms and consumer electronics companies and national associations from every part of Europe. DIGITALEUROPE 
wants European businesses and citizens to benefit fully from digital technologies and for Europe to grow, attract and 
sustain the world’s best digital technology companies. DIGITALEUROPE ensures industry participation in the 
development and implementation of EU policies. 


DIGITALEUROPE’s members include in total over 35,000 ICT companies in Europe represented by 62 Corporate 
Members and 40 National Trade Associations from across Europe. Our website provides further information on our 
recent news and activities: http://www.digitaleurope.org 


DIGITALEUROPE MEMBERSHIP 
Corporate Members 


Airbus, Amazon, AMD, Apple, Arcelik, Bosch, Bose, Brother, Canon, Cisco, Dell, Dropbox, Epson, Ericsson, Fujitsu, 
Google, Hewlett Packard Enterprise, Hitachi, HP Inc., Huawei, Intel, JVC Kenwood Group, Konica Minolta, Kyocera, 
Lenovo, Lexmark, LG Electronics, Loewe, MasterCard, METRO, Microsoft, Mitsubishi Electric Europe, Motorola 
Solutions, MSD Europe Inc., NEC, Nokia, Nvidia Ltd., Océ, Oki, Oracle, Palo Alto Networks, Panasonic Europe, Philips, 
Pioneer, Qualcomm, Ricoh Europe PLC, Rockwell Automation, Samsung, SAP, SAS, Schneider Electric, Sharp Electronics, 
Siemens, Sony, Swatch Group, Tata Consultancy Services, Technicolor, Texas Instruments, Toshiba, TP Vision, VMware, 
Xerox. 


National Trade Associations 


Austria: |OO Germany: BITKOM, ZVEI Slovakia: ITAS 
Belarus: INFOPARK Greece: SEPE Slovenia: GZS 
Belgium: AGORIA Hungary: |VSZ Spain: AMETIC 


Bulgaria: BAIT 

Croatia: Croatian Chamber of 
Economy 

Cyprus: CITEA 

Denmark: DI Digital, IT-BRANCHEN 
Estonia: ITL 

Finland: TIF 

France: AFNUM, Syntec Numérique, 
TECH IN France 
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Ireland: TECHNOLOGY IRELAND 
Italy: Anitec-Assinform 

Lithuania: INFOBALT 
Luxembourg: APSI 

Netherlands: Nederland ICT, FIAR 
Norway: Abelia 

Poland: KIGEIT, PIIT, ZIPSEE 
Portugal: AGEFE 

Romania: ANIS, APDETIC 
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Sweden: Foreningen 
Teknikföretagen i Sverige, 
IT&Telekomföretagen 
Switzerland: SWICO 

Turkey: Digital Turkey Platform, 
ECID 

Ukraine: IT UKRAINE 

United Kingdom: techUK 


